IT PRO: Blogs: Simon Bisson & Mary Branscombe: Spam Fighting in Exchange

Home

Simon Bisson & Mary Branscombe's Blog

Spam Fighting in Exchange

By Simon Bisson & Mary Branscombe in Editorial

Posted in Spam, Email on August 6, 2008 at 9:09 am

How can you fight spam with one of the most common email servers out there? After all, surely that should mean it’s an easy play for the spammers, with enough holes to get every V1agr4 advert and pump-and-dump scam into your users’ mailboxes.

It turns out it isn’t - and that the built-in tools are effective spam blockers.

If you’re not using Exchange 2007 Content Filter (or Exchange 2007’s Intelligent Message Filter) turn them on. This is one of the most effective weapons in your arsenal. It’s regularly updated, and it scans messages for common spam formats. Mesages are categorised and given spam ratings, which you can use to reject, quarantine, or file messages in users’ Junk Mail folders. CF is surprisingly easy to use - set it up, set the basic filtering rules, and then occasionaly check your quarantine mail box for false positives.

Exchange 2007 has even added whitelisting for persistently filtered false positives. Once a domain is whitelisted, there’s no more delving in the spam folders for Twitter invites or press releases from Kaspersky and Sophos.

I’d been running my server like that for some time, when I discovered another trick that turned out to make a huge difference. Exchange actually supports using real-time block lists (RBLs), which are lists of spam IP addresses hosted by services like SpamCop and Spamhaus. It’s trivially easy to add new block lists to Exchange - just find the lookup address on the block list site (Spamhaus’ is zen.spamhaus.org), and add it and the provider name in the Block List Provider section of Exchange’s anti-spam tools.

Without RBL support turned on I was getting 500 or so spam messages in my quarantine a day, making it hard to filter out the few false positives. With it on, I’m down to less than 100. Managing my spam is a lot easier - and with whitelisting, I’m having to look in the spam folder a lot less often…

–Simon

Not yet rated

Loading ...

Previous Post | Next Post

Comments

Comment by Serge Fernell - August 6, 2008 on 9:53 am

NOTE CORRECTION: Spamhaus RBL (by far the most reliable and most effective of all) is: zen.spamhaus.org (the one mentioned in the article, sbl.spamhaus.org, is just one part of ZEN, you need to be using tive of all) is: zen.spamhaus.org if you want proper spam filtering)

Comment by Simon Bisson & Mary Branscombe - August 6, 2008 on 10:10 am

Thanks for that! I’ll amend the post accordingly…

…and update my mail server!

Comment by Jason - August 8, 2008 on 11:47 am

Interesting point about the Exchange 2007 Content Filter, we are currently running Mailsweeper and I wonder if the functionality of the built-in Exchange Filter is comparable?

RBL can be very useful for keeping a large majority of unwanted mail out but before implementing something like this a business has to be fully aware of the implications - especially from the risk of false negatives. I.e. genuine mail that fails to get through.

From time to time a valid sender can appear on a RBL through little fault of their own and the RBL filter will simply reject them - whilst many of these are probably unwanted anyway there is always the possibility of a customer order being lost. If that customer is an important customer they are unlikely to take kindly to an outright rejection of mail. We discovered this lesson the hard way. In the times we have experienced this with trading partners the sender has been unaware at the point of sending an email that they are on a blacklist.

Make a comment

Tag cloud

fault EMC geek tourism biometrics images acquisitions Location oracle battery BT griffin. microsoft research flash Tripit spam IBM processors business power business continuity OQO NexT desktop. PC payroll social networking SBS data Loki 64-bit nvision08 telecoms Ruby green printing history ruggedized information traffic toshiba visualisation MRDA CTO virtual desktop firewall Netscan HP Reqall troubleshooting pen computing business intelligence MING Fire Eagle Live Mesh HR automation amherst AuthenTec education Tom Hogan dual display Intel CardSpace fraud offload codec CES wubi forensics todo list SapphireSteel office LHC NAS Xen Beacon security paradox Google Sets security theatre macbook accelerator fibre NGSCB html IDF MacWorld 2008 RBL server networks accessories gaming migration ballmerbot software HTC RIA O'Reilly CUDA Google IO timezones RSA 2008 fire advertising camera OEM hp microsoft research AskEraser SSVAGENT.EXE identity metasystem Windows Live Ruby On Rails identity theft anti-virus Ray Ozzie IT value Nokia regulation Web 2.0 BBC QWERTY Gartner CERN OpenID numbers mythbusters disk space Windows Server 2008 GPS iPhone exchange Verbatim yahoo natural interface .NET open email Toshiba Portege R500 TechEd 2008 fingerprint turing mobile data tariffs case mobile working geotagging utilities Enterprise 2.0 regulations Internet VSSAdmin MIX08 Opsware legislation Mono onboarding Hp 2710p SSD SMB 2 Barracuda mobile Linux isps power supply GPU LiveID spin wildfire patent HMT Secunia sun greenplum Tim Berners-Lee Tablet Kiosk Vista Hugh Thompson management spam fighting optical interconnects hold music automation T9 conferences bbc iplayer fingerprint scanner Palm Ask.com Firefox machine learning calit2 cracking UMPC Palladium Apple blog Embarcadero ucsd Trend Micro mscape CIO video cloud service google online applications installer conference power cuts Internet Explorer 8 exabytes AMD 3G credit crunch Credentica Tablet PC O2 smartphone Salesforce bea Mercury Large Hadron Collider terabytes HSDPA RAZR Frauenhofer merger media Dell Girl Geek Dinners xT9 Asus performance geneva Lenovo enterprise electricity price bandwidth Jeff Hawkins Xobni co-processor National Insurance DSL active digitiser security open source Silverlight Facebook benchmark IT automation Moonlight vulnerabilities distributed computing ubuntu SP1 deperimeterization WPF EEE Corsair IT transformation wireless USB Mozilla phone management Trolltech isp Google Spreadsheets TouchSmart disk enterprise architecture national museum of computing wifi productivity pgp Numenta user experience network MacBook Air information cards i-mate Visual Studio whitelist bletchley park Bill Gates quiz 24 hours OFCOM bombe Wyse windows 7 colossus hardware winhec2008 Microsoft TSA politics Nuance Seagate geocaching identitity Express Gate Windows Mobile mobile ofcom network cisco HTML 5 robot service oriented enterprise Motorola WWW provisioning laptop analytics community developer Volume Shadow Copy christmas voice recognition Gears Adobe IIW2008b ProCurve moscow beta hacking storage high performance computing interoperability browser parallel computing hierarchical temporal memory mysql upgrade Dopplr streaming media mash-up business technology optimisation cosmic rays Crossfader adfs ADFS 2.0 mobility Greasemoneky green IT CPU licensing mobile support etech Jeff Jones evernote Previous Versions business technology automation eu control panel user interface digital signature Google TNT data centre Linux DisplayLink Bill Cheswick Internet Explorer patch Tuesday virtualisation privacy WinHEC transcoding Trampoline cables NVIDIA lawsuit Delphi thin client

Highest Rated Blog Posts

Nobody knows what Web 2.0 really is (100%)
Songs of distant satellites (100%)
Log in and lock in (100%)
Mommy, why is there a home server in the office? (100%)
Employees are our most valuable asset (snigger) (100%)
Locking down IT or blocking creativity (100%)
Video opera? What would you do with huge bandwidth and millions of pixels? (100%)
Consumer BlackBerrys are good for business (100%)
HD Trek (100%)
Top tips for speeding up Vista (100%)

Spam Fighting in Exchange

Tag cloud

Archives

Most commented posts

Highest Rated Blog Posts

Advertisement